{"update": {"autokarma": true, "autotime": true, "stable_karma": 1, "stable_days": 7, "unstable_karma": -1, "require_bugs": true, "require_testcases": true, "display_name": "", "notes": "This is a security release of Python 3.11\n-----------------------------------------\n\n**Note:** The release you're looking at is Python 3.11.10, a **security bugfix release** for the legacy 3.11 series. *Python 3.12* is now the latest feature release series of Python 3.\n\nSecurity content in this release\n--------------------------------\n\n-   [gh-123067](https://github.com/python/cpython/issues/123067): Fix quadratic complexity in parsing `\"`-quoted cookie values with backslashes by [`http.cookies`](https://docs.python.org/3/library/http.cookies.html#module-http.cookies). Fixes CVE-2024-7592.\n-   [gh-113171](https://github.com/python/cpython/issues/113171): Fixed various false positives and false negatives in IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global. Fixes CVE-2024-4032.\n-   [gh-67693](https://github.com/python/cpython/issues/67693): Fix [`urllib.parse.urlunparse()`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunparse) and [`urllib.parse.urlunsplit()`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunsplit) for URIs with path starting with multiple slashes and no authority. Fixes CVE-2015-2104.\n-   [gh-121957](https://github.com/python/cpython/issues/121957): Fixed missing audit events around interactive use of Python, now also properly firing for `python -i`, as well as for `python -m asyncio`. The event in question is `cpython.run_stdin`.\n-   [gh-122133](https://github.com/python/cpython/issues/122133): Authenticate the socket connection for the `socket.socketpair()` fallback on platforms where `AF_UNIX` is not available like Windows.\n-   [gh-121285](https://github.com/python/cpython/issues/121285): Remove backtracking from tarfile header parsing for `hdrcharset`, PAX, and GNU sparse headers. That's CVE-2024-6232.\n-   [gh-114572](https://github.com/python/cpython/issues/114572): [`ssl.SSLContext.cert_store_stats()`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.cert_store_stats) and [`ssl.SSLContext.get_ca_certs()`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs) now correctly lock access to the certificate store, when the [`ssl.SSLContext`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext) is shared across multiple threads.\n-   [gh-102988](https://github.com/python/cpython/issues/102988): [`email.utils.getaddresses()`](https://docs.python.org/3/library/email.utils.html#email.utils.getaddresses) and [`email.utils.parseaddr()`](https://docs.python.org/3/library/email.utils.html#email.utils.parseaddr) now return `('', '')` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use `strict=False` to get the old behavior, accept malformed inputs. `getattr(email.utils, 'supports_strict_parsing', False)` can be use to check if the *strict* paramater is available. This improves the CVE-2023-27043 fix.\n-   [gh-123270](https://github.com/python/cpython/issues/123270): Sanitize names in [`zipfile.Path`](https://docs.python.org/3/library/zipfile.html#zipfile.Path) to avoid infinite loops ([gh-122905](https://github.com/python/cpython/issues/122905)) without breaking contents using legitimate characters. That's CVE-2024-8088.\n-   [gh-121650](https://github.com/python/cpython/issues/121650): [`email`](https://docs.python.org/3/library/email.html#module-email) headers with embedded newlines are now quoted on output. The [`generator`](https://docs.python.org/3/library/email.generator.html#module-email.generator) will now refuse to serialize (write) headers that are unsafely folded or delimited; see [`verify_generated_headers`](https://docs.python.org/3/library/email.policy.html#email.policy.Policy.verify_generated_headers). That's CVE-2024-6923.\n-   [gh-119690](https://github.com/python/cpython/issues/119690): Fixes data type confusion in audit events raised by `_winapi.CreateFile` and `_winapi.CreateNamedPipe`.\n-   [gh-116773](https://github.com/python/cpython/issues/116773): Fix instances of `<_overlapped.Overlapped object at 0xXXX> still has pending operation at deallocation, the process may crash`.\n-   [gh-112275](https://github.com/python/cpython/issues/112275): A deadlock involving `pystate.c`'s `HEAD_LOCK` in `posixmodule.c` at fork is now fixed.This is a security release of Python 3.9\n----------------------------------------\n\n**Note:** The release you're looking at is Python 3.9.20, a **security bugfix release** for the legacy 3.9 series. *Python 3.12* is now the latest feature release series of Python 3. [Get the latest release of 3.12.x here](https://www.python.org/downloads/).\n\nSecurity content in this release\n--------------------------------\n\n-   [gh-123678](https://github.com/python/cpython/issues/123678) and [gh-116741](https://github.com/python/cpython/issues/116741): Upgrade bundled libexpat to 2.6.3 to fix [CVE-2024-28757](https://github.com/advisories/GHSA-ch5v-h69f-mxc8), [CVE-2024-45490](https://github.com/advisories/GHSA-4hvh-m426-wv8w), [CVE-2024-45491](https://github.com/advisories/GHSA-784x-7qm2-gp97) and [CVE-2024-45492](https://github.com/advisories/GHSA-5qxm-qvmj-8v79).\n-   [gh-118486](https://github.com/python/cpython/issues/118486): [`os.mkdir()`](https://docs.python.org/3/library/os.html#os.mkdir) on Windows now accepts *mode* of `0o700` to restrict the new directory to the current user. This fixes CVE-2024-4030 affecting [`tempfile.mkdtemp()`](https://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp) in scenarios where the base temporary directory is more permissive than the default.\n-   [gh-123067](https://github.com/python/cpython/issues/123067): Fix quadratic complexity in parsing `\"`-quoted cookie values with backslashes by [`http.cookies`](https://docs.python.org/3/library/http.cookies.html#module-http.cookies). Fixes CVE-2024-7592.\n-   [gh-113171](https://github.com/python/cpython/issues/113171): Fixed various false positives and false negatives in IPv4Address.is_private, IPv4Address.is_global, IPv6Address.is_private, IPv6Address.is_global. Fixes CVE-2024-4032.\n-   [gh-67693](https://github.com/python/cpython/issues/67693): Fix [`urllib.parse.urlunparse()`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunparse) and [`urllib.parse.urlunsplit()`](https://docs.python.org/3/library/urllib.parse.html#urllib.parse.urlunsplit) for URIs with path starting with multiple slashes and no authority. Fixes CVE-2015-2104.\n-   [gh-121957](https://github.com/python/cpython/issues/121957): Fixed missing audit events around interactive use of Python, now also properly firing for `python -i`, as well as for `python -m asyncio`. The event in question is `cpython.run_stdin`.\n-   [gh-122133](https://github.com/python/cpython/issues/122133): Authenticate the socket connection for the `socket.socketpair()` fallback on platforms where `AF_UNIX` is not available like Windows.\n-   [gh-121285](https://github.com/python/cpython/issues/121285): Remove backtracking from tarfile header parsing for `hdrcharset`, PAX, and GNU sparse headers. That's CVE-2024-6232.\n-   [gh-114572](https://github.com/python/cpython/issues/114572): [`ssl.SSLContext.cert_store_stats()`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.cert_store_stats) and [`ssl.SSLContext.get_ca_certs()`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs) now correctly lock access to the certificate store, when the [`ssl.SSLContext`](https://docs.python.org/3/library/ssl.html#ssl.SSLContext) is shared across multiple threads.\n-   [gh-102988](https://github.com/python/cpython/issues/102988): [`email.utils.getaddresses()`](https://docs.python.org/3/library/email.utils.html#email.utils.getaddresses) and [`email.utils.parseaddr()`](https://docs.python.org/3/library/email.utils.html#email.utils.parseaddr) now return `('', '')` 2-tuples in more situations where invalid email addresses are encountered instead of potentially inaccurate values. Add optional *strict* parameter to these two functions: use `strict=False` to get the old behavior, accept malformed inputs. `getattr(email.utils, 'supports_strict_parsing', False)` can be use to check if the *strict* paramater is available. This improves the CVE-2023-27043 fix.\n-   [gh-123270](https://github.com/python/cpython/issues/123270): Sanitize names in [`zipfile.Path`](https://docs.python.org/3/library/zipfile.html#zipfile.Path) to avoid infinite loops ([gh-122905](https://github.com/python/cpython/issues/122905)) without breaking contents using legitimate characters. That's CVE-2024-8088.\n-   [gh-121650](https://github.com/python/cpython/issues/121650): [`email`](https://docs.python.org/3/library/email.html#module-email) headers with embedded newlines are now quoted on output. The [`generator`](https://docs.python.org/3/library/email.generator.html#module-email.generator) will now refuse to serialize (write) headers that are unsafely folded or delimited; see [`ver", "type": "security", "status": "stable", "request": null, "severity": "medium", "suggest": "unspecified", "locked": false, "pushed": true, "critpath": false, "critpath_groups": "", "close_bugs": true, "date_submitted": "2024-09-11 20:17:42", "date_modified": null, "date_approved": "2024-09-19 02:41:35", "date_testing": "2024-09-12 02:40:02", "date_stable": "2024-09-20 00:43:10", "alias": "FEDORA-2024-f652468298", "test_gating_status": "ignored", "from_tag": null, "date_pushed": "2024-09-20 00:43:10", "meets_testing_requirements": true, "url": "https://bodhi.fedoraproject.org/updates/FEDORA-2024-f652468298", "title": "python3.8-3.8.20-1.fc39", "version_hash": "50a96c350f1ea9b2d47e90f2327b6929e60ba8b0", "release": {"name": "F39", "long_name": "Fedora 39", "version": "39", "id_prefix": "FEDORA", "branch": "f39", "dist_tag": "f39", "stable_tag": "f39-updates", "testing_tag": "f39-updates-testing", "candidate_tag": "f39-updates-candidate", "pending_signing_tag": "f39-signing-pending", "pending_testing_tag": "f39-updates-testing-pending", "pending_stable_tag": "f39-updates-pending", "override_tag": "f39-override", "mail_template": "fedora_errata_template", "state": "archived", "composed_by_bodhi": true, "create_automatic_updates": false, "package_manager": "dnf", "testing_repository": "updates-testing", "released_on": null, "eol": "2024-11-26", "critpath_mandatory_days_in_testing": 14, "mandatory_days_in_testing": 7, "critpath_min_karma": 2, "min_karma": 1, "setting_status": null}, "user": {"name": "churchyard", "email": "mhroncok@redhat.com", "id": 533, "avatar": "https://seccdn.libravatar.org/avatar/e221b70024cf971d8b43de0260d2babde9179cdf72605bf3168420e3efe07423?s=24&d=retro", "openid": "churchyard.id.fedoraproject.org", "groups": [{"name": "provenpackager"}, {"name": "packager"}, {"name": "python-sig"}, {"name": "signed_fpca"}, {"name": "3d-printing-sig"}, {"name": "python-packagers-sig"}, {"name": "fedora-contributor"}, {"name": "sysadmin-badges"}, {"name": "ipausers"}, {"name": "sysadmin"}, {"name": "lua-packagers-sig"}, {"name": "fedorabugs"}, {"name": "cvsadmin"}, {"name": "ambassadors"}, {"name": "packaging-committee"}, {"name": "advocates"}]}, "comments": [{"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for testing by churchyard. ", "timestamp": "2024-09-11 20:17:42", "update_id": 647694, "user_id": 91, "id": 3715894, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update's test gating status has been changed to 'ignored'.", "timestamp": "2024-09-11 20:17:43", "update_id": 647694, "user_id": 91, "id": 3715895, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to testing.", "timestamp": "2024-09-12 02:40:46", "update_id": 647694, "user_id": 91, "id": 3716501, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been submitted for stable by bodhi. ", "timestamp": "2024-09-19 02:41:35", "update_id": 647694, "user_id": 91, "id": 3728346, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}, {"karma": 0, "karma_critpath": 0, "text": "This update has been pushed to stable.", "timestamp": "2024-09-20 00:43:52", "update_id": 647694, "user_id": 91, "id": 3729951, "bug_feedback": [], "testcase_feedback": [], "user": {"name": "bodhi", "email": null, "id": 91, "avatar": "https://apps.fedoraproject.org/img/icons/bodhi-24.png", "openid": "bodhi.id.fedoraproject.org", "groups": []}}], "builds": [{"nvr": "python3.8-3.8.20-1.fc39", "signed": true, "release_id": 70, "type": "rpm", "epoch": 0}], "bugs": [], "updateid": "FEDORA-2024-f652468298", "karma": 0, "content_type": "rpm", "test_cases": []}, "can_edit": false, "ci_allowed": false}